VMware vCenter Orchestrator Discloses Passwords to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1026816 |
|
SecurityTracker URL: http://securitytracker.com/id/1026816
|
|
CVE Reference:
CVE-2012-1513
(Links to External Site)
|
Date: Mar 16 2012
|
Impact:
Disclosure of authentication information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): vCO 4.0, 4.1, 4.2
|
Description:
A vulnerability was reported in VMware vCenter Orchestrator. A remote authenticated user can view the vCenter Server password.
The vCenter Orchestrator (vCO) Web Configuration tool allows a remote authenticated user to retrieve the vCenter Server password.
Alexey Sintsov from Digital Security Research Group reported this vulnerability.
|
Impact:
A remote authenticated user can view password data.
|
Solution:
The vendor has issued a fix (4.0 Update 4, 4.1 Update 2, 4.2 Update 1).
The vendor's advisory is available at:
http://www.vmware.com/security/advisories/VMSA-2012-0005.html
|
Vendor URL: www.vmware.com/security/advisories/VMSA-2012-0005.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 16 Mar 2012 07:28:35 +0000
Subject: VMware vCenter Orchestrator
|
http://www.vmware.com/security/advisories/VMSA-2012-0005.html
c. vCenter Orchestrator Password Disclosure
The vCenter Orchestrator (vCO) Web Configuration tool reflects
back the vCenter Server password as part of the webpage. This
might allow the logged-in vCO administrator to retrieve the
vCenter Server password.
VMware would like to thank Alexey Sintsov from Digital Security
Research Group for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1513 to this issue.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCO 4.2 Windows vCO 4.2 Update 1
vCO 4.1 Windows vCO 4.1 Update 2
vCO 4.0 Windows vCO 4.0 Update 4
|
|
